Skip Links

Network World

  • Social Web 
  • Email 
  • Close

(Comma separation for multiple addresses)
Your Message:

Windows WINS attacks in the wild

SANS Institute tracks activity on port associated with Microsoft service
By John Fontana , Network World , 08/18/2009
  • Share/Email
  • Tweet This
  • Comment
  • Print

The "critical" WINS vulnerability that Microsoft issued a patch for last week is now being exploited actively in the wild, according to the SANS Institute.

UPDATE: Windows WINS attack originating in China

The Internet Storm Center (ISC), which is operated by SANS, is receiving preliminary reports that hackers are targeting Microsoft's WINS service on Windows NT, 2000 and 2003 servers.

WINS is a central mapping of host names to network addresses and lets users find computers on a network.

Related Content

Last week, Microsoft issued patch MS09-039 to close the WINS vulnerability, which could allow remote attackers to write to arbitrary memory locations and possibly execute arbitrary code via a modified memory pointer in a Windows replications packet sent to TCP Port 42.

Data collected by the ISC shows that over the past few days Internet activity associated with Port 42 has risen dramatically.
MS09-039 was issued on Aug. 11 when ISC was reporting roughly zero targets per day in association with Port 42 activity. By Aug. 13 that number had spiked to around 30,000, and by Aug. 16 the number was 70,000.

Microsoft reported on its Exploitability Index, which is calculated for each patch released, that there is a high likelihood of "consistent exploit code" for the WINS vulnerability on Windows 2000 Service Pack 4. For the other affected platforms, Windows Server NT and 2003, Microsoft said that "inconsistent exploit code" was likely.

5 fantastic open source tools for Windows admins 

Eric Schultze, CTO for Shavlik Technologies, said last week that the WINS issue "is an unauthenticated server-side attack --  the bad guy simply points and shoots some packets at the WINS server and they can execute code of their choice on that server." He noted, however, that the attack is most likely to come from inside a user's network because the necessary port --  Port 42 -- to execute the attack is usually blocked at the Internet firewall.

Regardless, his recommendation was to "patch this right away on your WINS servers."

Andrew Storms, director of security operations for nCircle, also said last week that the WINS vulnerability could become a "potential worm vector."

Follow John on Twitter: twitter.com/johnfontana

  • Share/Email
  • Tweet This
  • Comment
  • Print

Comments (1)
Login
Forgot your account info?

Easy to mitigateBy Anonymous on August 19, 2009, 10:07 pmJust don't run WINS. It's not needed, anyway. Just make sure names are resolvable by other means, like DNS.

Reply | Read entire comment

View all comments

Add comment
Anonymous comments subject to approval. Register here for member benefits.
Have a NetworkWorld account? Log in here. Register now for a free account.

Most Read

View more Most Read

Videos

rssRss Feed

Latest News

rssRss Feed